Understanding Nist 800‐37  Fisma Requirements 

In: Computers and Technology

Submitted By bobby4455
Words 2451
Pages 10
White Paper

Understanding NIST 800‐37 FISMA Requirements

Contents Overview ................................................................................................................................. 3 I. The Role of NIST in FISMA Compliance ................................................................................. 3 II. NIST Risk Management Framework for FISMA ..................................................................... 4 III. Application Security and FISMA .......................................................................................... 5 IV. NIST SP 800‐37 and FISMA .................................................................................................. 6 V. How Veracode Can Help ...................................................................................................... 7 VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8 VII. Summary and Conclusions ............................................................................................... 10 About Veracode .................................................................................................................... 11
© 2008 Veracode, Inc.

2

Overview
The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits.

I. The Role of NIST in FISMA Compliance
The National Institute of Standards and…...

Similar Documents

Fisma

...Federal Information Systems Management Act (FISMA) The Federal Information Systems Management Act of 2002 is a federal law under Title III of the E-Government Act of 2002. FISMA has brought attention within the federal government to cyber security and emphasized a risk-based policy for cost-effective security. FISMA requires agency officials and chief information officers to annually conduct reviews of the agency’s information security program and report the results to the Office of Management and Budget. FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget, in order to strengthen information system security. According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. Furthermore, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. Implementations on the public sector would be federal agencies like the Federal Bureau of Investigation. They would have to comply with the guidelines to meet the FISMA requirements. The agency would have to develop system security plans for each information system. After doing so they would conduct regular certification and accreditation......

Words: 301 - Pages: 2

Time

..............................................................................iii Document Change History ............................................................................iv 1. Introduction ....................................................................................... 1 1.1 1.2 1.3 1.4 2. 2.1 Purpose ........................................................................................... 1 Background...................................................................................... 1 Scope.............................................................................................. 2 Document Organization ..................................................................... 4 HIPAA Administrative Simplification Requirements ........................... 5 General Overview ............................................................................. 5 2.1.1 HIPAA Administrative Simplification Goals and Objectives ............. 5 2.1.2 HIPAA Definitions .................................................................... 5 2.1.2.1 Covered Entity .................................................................... 5 2.1.2.2 Hybrid Entity....................................................................... 6 2.1.2.3 Affiliated Covered Entity ....................................................... 7 2.1.2.4 Medicare Prescription Drug Card Sponsors............................... 7 2.1.3 Protected Health Information ...............................................

Words: 12363 - Pages: 50

Nist

...NIST Logo and ITL Banner SEARCH CSRC: ABOUT MISSION CONTACT STAFF SITE MAP CSRC HOME GROUPS PUBLICATIONS DRIVERS FEDERAL REGISTER NOTICES NEWS & EVENTS ARCHIVE FISMA Detailed Overview Risk Management Framework (RMF) RMF Steps / FAQs / Guides Applying the RMF to Federal Information Systems Course Security Categorization Security Controls Security Assessment Authorization and Monitoring Security Configuration Settings Industrial Control System Security Compliance Resources News Events Schedule FAQs - FISMA Project FISMA NEWS {Aug. 20, 2013} -- The FISMA Standard / Publication schedule has been updated. Click here to view updated schedule of FISMA documents. {Apr. 29, 2013} -- Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations has been approved as final. To view the full announcement of document release. {Apr. 29, 2013} -- The FISMA Standard / Publication schedule has been updated. Click here to view updated schedule of FISMA documents. {Jan. 18, 2013} – NIST anticipates the release of Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft) on Tuesday, February 5th. The final public comment period will run from February 5th through March 1st. Final publication is expected by the end of April. {Nov. 8, 2012} -- Links to keynote presentations on Emerging Risk Management and Cyber......

Words: 599 - Pages: 3

Research Specific Requirements for Workstation Domains

...Business of IT Understanding Regulatory Compliance In the last few years, governments the world over have taken up the job of protecting consumers and companies against poor management of sensitive information. Unfortunately, this has led to a steady stream of confusing laws and regulations coming from all directions. In this column I'll look at these laws, go into depth on a few of them, and discuss how you, as an IT pro charged with making your company compliant, can approach the issue. Laws and Regulations Depending on the industry you're in, your organization may be used to regulations or completely new to them. Late 90s and early 2000s ushered in the era of laws governing information security, privacy, and accountability, thanks to companies like Enron and to the sheer volume of personal and sensitive information stored in and transmitted though vulnerable channels. At the root of most regulations is the importance of protecting the confidentiality, integrity, and availability of information that impacts a corporation and its stakeholders. These laws can be distilled down to their essential goals: Establish and implement controls Maintain, protect, and assess compliance issues Identify and remediate vulnerabilities and deviations Provide reporting that can prove your organization's compliance Taking a look at the laws and regulations having immediate impact on IT pros, to understand what each law is about. Don't assume this list represents all of the laws and......

Words: 1573 - Pages: 7

Requirements

...Requirements The manufacturing plant that the author works for would benefit from complete barcode capabilities as stated in the author’s previous paper. This paper will explain the processes that are needed in to find requirements for new software. What is needed is to find out what a system requirement is by asking questions within the organization. According to Wright, “a system requirement is a property that is essential for an IT system to perform its functions” (Wright, 2007). I will explain these requirements by looking at three areas within the organization. First there is a business requirement, user requirements, and lastly functional requirements. Business Requirements Business requirements are described as the objectives of the business. This answers the questions as to why the company is taking on the project. “The requirements grow out of the vision for the product. This vision is driven by goals and objectives of the company. This is a long-term view of what the product can accomplish for the users and the company” (Gottesdiener, 2008). For instance as stated earlier L-3 receiving area needs a barcode capability for one it will help the department stay on top of shipments that come into the area. Second, it will also allow less mistakes and higher accuracy for inventory. Third, it will increase the staff’s accessibility to other jobs within the department. Last, it will help the customer. These are just a few examples on how it will help the......

Words: 712 - Pages: 3

Fisma

...All federal agencies are required to comply with FISMA guidelines for IT systems security. Failure to pass an inspection can result in unfavorable publicity, increased oversight of your agency, computer breaches, and even a reduction in your IT budget. In this white paper, we’ll look at: • What FISMA is and why it was created • Key steps in achieving FISMA compliance • Tools that can help you meet FISMA requirements FISMA provides a set of specific guidelines for federal agencies on how to plan for, budget, implement, and maintain secure systems. These new, stricter security guidelines replaced an expired set of rules under the Government Information Security Reform Act. To achieve FISMA compliance, your agency must: • Plan for security • Ensure that appropriate officials are assigned security responsibility • Periodically review IT security controls • Authorize system processing prior to operations and periodically thereafter. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; confidentiality which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. The term national security system means any information system including any telecommunications system used or......

Words: 894 - Pages: 4

Psalm 37

...Psalm 37:7-8 ADAM CLARKE'S BIBLE COMMENTARY Verse 7. "Rest in the Lord " - mwd dom, "be silent, be dumb." Do not find fault with thy Maker; he does all things well for others, he will do all things well for thee. "And wait patiently for him " - wl llwjthw vehithcholel lo, and set thyself to expect him; and be determined to expect, or wait for him. Such is the import of a verb in the hithpoel conjugation. "A heathen gives good advice on a similar subject: " - Nil ergo optabunt homines? Si consilium vis, Permittes ipsis expendere Numinibus, quid Conveniat nobis, rebusque sit utile nostris. Nam pro jucundis aptissima quaeque dabunt Di. Carior est illis homo, quam sibi. Juv. Sat. x. 346. "What then remains? Are we deprived of will? Must we not wish, for fear of wishing ill? Receive my counsel, and securely move; Intrust thy pastime to the powers above. Leave them to manage for thee, and to grant What their unerring wisdom sees thee want. In goodness, as in greatness, they excel: Ah, that we loved ourselves but half so well!" DRYDEN. Coffman's Commentaries on the Bible Verse 8 REASONS FOR NOT FRETTING OVER EVIL-DOERS "Cease from anger, and forsake wrath: Fret not thyself, it tendeth only to evil-doing. For evil-doers shall be cut off; But those that wait for Jehovah, they shall inherit the land. For yet a little while, and the wicked shall not be: Yea, thou shalt diligently consider his place, and he shall not be. But the meek shall inherit the land, And......

Words: 886 - Pages: 4

Nist

...NIST Special Publication 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach JOINT TASK FORCE TRANSFORMATION INITIATIVE INFORMATION SECURITY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 February 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Director Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach ________________________________________________________________________________________________ Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special...

Words: 44881 - Pages: 180

Requirements

...Software Requirements. First, you have to understand what exactly software requirements are. The whole goal of the requirements phase in software development is being able to accurately decide what to build and then being able to document the result properly. All system requirements should be determined before the system design process. System design is the process where you come to the conclusion of which parts of the requirements will be designated to hardware and which to software. If you are not careful, you can easily run into a requirement problem. Not only are requirement problems continual they can be expensive. Requirements errors account for 70 percent to 85 percent of the rework costs on a software project (Wiegers 2003). In the article “Software requirements engineering: what, why, who, when and how”, “If one finds a requirements defect during the requirements phase and it costs one unit to fix (for example, three engineering hours, $500), the cost of fixing that same defect will typically increase as it is found later and later in the life cycle. In fact, studies show that it can cost more than 100 times more to fix a requirements defect if it is not found until after the software is released to the field” (Westfall 2006). The whole purpose of the requirements phase is to create and specify absolutely what the software is being built to do without detailing how to do it. As easy as this may sounds it at times still can be a tough task. Requirements......

Words: 959 - Pages: 4

Nist Cyber Security Frame Work

...rights reserved. The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and Technology (NIST) issued a voluntary framework that is fast becoming the de facto standard for organizations to assess their cybersecurity programs. RICHARD RAYSMAN JOHN ROGERS PARTNER HOLLAND & KNIGHT LLP CHIEF TECHNOLOGIST BOOZ ALLEN HAMILTON INC. Richard’s practice concentrates on computer law, outsourcing, complex technology transactions and intellectual property. He has significant experience in structuring technology transactions and has represented clients in billions of dollars of outsourcing transactions in addition to litigating reported cases. Richard is a guest contributor to The Wall Street Journal on technology issues, and Chambers has selected him as a leading technology attorney. Prior to practicing law, Richard was a systems engineer for IBM Corporation. © 2015 Thomson Reuters. All rights reserved. John has extensive information security experience in a variety of industries including financial services, retail, healthcare, higher education, insurance, non-profit and technology services. He focuses on improving client cybersecurity programs, assessing these programs against industry standards, designing secure solutions and performing cost/benefit analyses. Practical Law The Journal | Transactions & Business | June 2015 37 D espite major......

Words: 4438 - Pages: 18

Free

...PERFORMANCE WORK STATEMENT Table of Contents 1 OVERVIEW 1 2 CONTRACT REQUIREMENTS 1 2.1 Objectives Fulfillment 1 2.1.1 Business Objectives 1 2.1.2 Technical Objectives 2 2.1.3 Management Objectives 3 2.2 Assumptions and Constraints 3 2.2.1 Access Control 4 2.2.2 Authentication 4 2.2.3 HSPD-12 Personnel Security Clearances 4 2.2.4 Non-Disclosure Agreements 5 2.2.5 Accessibility 5 2.2.6 Data 5 2.2.7 Confidentiality, Security, and Privacy 5 2.3 Tasks/Sub-Tasks to Be Performed Related to Initiating the Service 6 2.3.1 Task 1: 6 2.3.2 Task 2: 7 2.4 Period of Performance 7 3 PERFORMANCE MANAGEMENT OF THE DELIVERED SERVICES 8 3.1 Modifications to Service Level Agreements 8 3.2 Changes to Key Performance Measures. 8 3.3 Quality Assurance Evaluation 8 3.4 Government Roles and Responsibilities. 9 3.4.1 Contracting Officer (CO) 9 3.4.2 Contract Specialist 9 3.4.3 Contracting Officer’s Technical Representative (COTR) 10 3.4.4 Other Key Government Personnel 10 3.5 Contractor Roles and Responsibilities 10 4 METHODS OF QUALITY ASSURANCE SURVEILLANCE 11 5 SECURITY REQUIREMENTS 11 5.1 Required Policies and Regulations for GSA Contracts 11 5.2 GSA Security Compliance Requirements 13 5.3 Certification and Accreditation (C&A) Activities 13 ......

Words: 7425 - Pages: 30

Requirement

...each group. Group leader is responsible for managing the group and to ensure that each member complete the task given. 3. Submission requirements: a) Font: Times New Roman, size 12 b) Spacing: 1.5 c) Please use the cover page template and include the group member’s declaration as per Appendix A 4. Marks will only be given to those whose names are on the assignment cover page. Please ensure that your name and student ID number are on it. Those whose names do not appear on the assignment cover page will automatically be assumed to have not submitted the assignment. 5. For group member that do not participate in the group assignment, the group leader has the right not to include his/her name in the assignment cover page. 6. Any act of plagiarism is a serious academic offence and you may get an F grade for your paper. SUBMISSION 1. Due date for this assignment is on Tuesday 10/05/2016 by 4.00 p.m at your lecturer’s office. 2. Late submissions will cause deduction of marks. GRADING 1. The lecturer will examine the thoroughness of your work and the presentation of your assignment i.e. content, format, grammar, etc. 2. The total marks for this assignment is contributed 15% towards the total grade of the course. Make sure you do it well. ASSGINMENT REQUIREMENT 1. You work as a financial analyst for a firm of international management consultants. A very large multimedia company has approached......

Words: 855 - Pages: 4

Vlt 2 Task 4

...applicable laws, all the hardware and software, and subsystems, etc. | FIPS for no national security system CNSS 1253NIST 800-37Page 21 | 1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices. | Not done | The registration starts by identifying the IS subsystem in the inventory system and develop a relationship with the governing organization management system. The registration allows to creating efficient tracking tools that are important for security status reporting in harmony with organizational policy.It could be registered with organizational or management offices | CNSS 1253 for national security systemNIST 800-37Page 21-22 | RMF Step 2 | Select Security Controls | 2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? | Not included | “Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information” (NIST SP 800, 2009). The control allows the organization to efficiently mitigate the risk coming from the use of information System (IS) to conduct business operations and processes. | NIST SP 800-37Page 24-2 | 2.2Security Control SelectionAre selected security controls for the information system......

Words: 3997 - Pages: 16

Understanding Human Behavior at Work Is the Single Most Important Requirement in Managerial Success

...“UNDERSTANDING HUMAN BEHAVIOR AT WORK IS THE SINGLE MOST IMPORTANT REQUIREMENT IN MANAGERIAL SUCCESS” Managers are required to be equipped with certain skills in order to efficiently and effectively manage an organization. One of these is the management of human resources in the organization. It involves the organization of people in an organization for the attainment of its goals and objectives. However, people differ in attitudes, values, personality and behavior. These differences bring about problems in an organization. It is therefore important that managers should understand the behavior of each individual that composes the organization, including their own behavior. Some people even say that this is the single most important requirement that a manager should have in order for him to attain success in management. Does this contention by some people of management success acceptable? People are considered to be the most valuable resource in an organization. They are the ones who carry out and implement the plans set by the organization through its top management. They might work together and cooperate with one another as a group in order to achieve a certain purpose. Also, these people might be given the opportunity to make certain decisions that would control how the organization would acquire and use its available resources. In addition, the differences among the people in the organization in terms of their feelings, attitude and behavior might be a factor as to how...

Words: 585 - Pages: 3

Unit 37

...Zainab karimu Unit 37 P4 I will be explaining active and passive artificially acquired immunity in form of a table. Immunity is the protection of the body from infections from viruses and bacteria. Acquired immunity is a type of immunity also known as the third line of defence, it is the immunity produced when the human body has been infected by an antigen which triggers the production of antibodies. There are two types of acquired immunity which are active and passive acquired immunity. Active artificially acquired immunity | Passive artificially acquired immunity | Active artificially acquired immunity is induced by a vaccine which is a substance that has antigens, the vaccine stimulates the primary response against the antigen not causing symptoms of the disease. Immunity does not take place immediately, there is a time lapse for immunity to develop. Active artificially acquired immunity lasts for a sufficient long period of time with no side effects.Vaccine doses vary depending on the vaccine, it is either received as a single amount or received as a sequence of three amounts with a break in each amount. | Passive artificially acquired immunity is an immunization induced by the transfer of antibodies into the human body that lasts a short time because the anti-bodies gradually break down and are not replaced. Passive artificially acquired immunity can be controlled in many forms like human or animal blood plasma, intramuscular use, and in form of......

Words: 1090 - Pages: 5